PYSEC-2026-2057

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/xml2rfc/PYSEC-2026-2057.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2057
Aliases
Published
2026-07-07T16:03:04.649471Z
Modified
2026-07-07T17:48:17.468824131Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
xml2rfc is vulnerable to arbitrary file reads through prepped files
Details

Impact

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

Workarounds

Test untrusted input with link elements with rel="attachment" before processing.

References

This is related to GHSA-cfmv-h8fx-85m7.

References

Affected packages

PyPI / xml2rfc

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.30.2

Affected versions

2.*
2.2.5
2.2.7
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.3.11.1
2.3.11.2
2.3.11.3
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10.dev0
2.4.10
2.4.11
2.4.12
2.5.0
2.5.1
2.5.2
2.5.3.dev0
2.6.0
2.6.1
2.6.2
2.7.0
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.11.1
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.14.0
2.14.1
2.15.0
2.15.1
2.15.2
2.15.3
2.15.4
2.15.5
2.16.0
2.16.1
2.16.2
2.16.3
2.17.0
2.17.1
2.17.2
2.18.0
2.19.0
2.19.1
2.20.0
2.20.1
2.21.0
2.21.1
2.22.0
2.22.1
2.22.2
2.22.3
2.23.0
2.23.1
2.24.0
2.25.0
2.26.0
2.27.0
2.27.1
2.28.0
2.29.0
2.29.1
2.30.0
2.31.0
2.32.0
2.33.0
2.34.0
2.35.0
2.36.0
2.37.0
2.37.1
2.37.2
2.37.3
2.38.0
2.38.1
2.39.0
2.40.0
2.40.1
2.41.0
2.42.0
2.43.0
2.44.0
2.45.0
2.45.1
2.45.2
2.45.3
2.46.0
2.47.0
3.*
3.0.0
3.1.0
3.1.1
3.2.0
3.2.1
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.12.7
3.12.8
3.12.9
3.12.10
3.13.0
3.13.1
3.14.0
3.14.1
3.14.2
3.15.0
3.15.1
3.15.2
3.15.3
3.16.0
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.18.0
3.18.1
3.18.2
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.20.0
3.20.1
3.21.0
3.22.0
3.23.0
3.23.1
3.23.2
3.24.0
3.25.0
3.26.0
3.27.0
3.28.0
3.28.1
3.29.0
3.30.0
3.30.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/xml2rfc/PYSEC-2026-2057.yaml"